rsenden
commented
1 year ago SSC always returns an HTTP 200 OK response on the token revocation endpoint, so fcli doesn't know whether there was any error deleting the token. Not sure whether SSC always returning 200 OK is on purpose (maybe for security reasons), or should be considered a bug.
Having said that, potentially fcli could do some additional checks. The fcli ssc token revoke command accepts either token id's (which should be numeric) or token values. If a non-numeric value is given, it is assumed a token value in either encoded or decoded form.
If token id's are provided, fcli can use the /api/v1/tokens endpoint to see whether those token id's actually exists.
For token values, we cannot do such a check as none of the SSC endpoints return token values or allow for checking whether a given token value is valid. However, potentially we could perform the following checks:
- Verify that the given token value is using a valid token format (also see #295); this doesn't ensure that the token actually exists on SSC, but would catch values that don't match the expected format, like
CITokenin the example above - Use an SSC bulk request to request the current token id's, revoke the given tokens, and then request the current token id's again; if all token id's from the first request are still present in the last request, then apparently the given tokens were not revoked. Of course, there's a small risk that some other process deleted some tokens, therefore incorrectly reporting success even if no token was revoked, but we minimize this risk by using a bulk request to minimize the window of opportunity for other processes to revoke tokens.
fcli ssc token revoke CIToken --user
<user>--password<pass>--url<url>Response code 200Specifying name instead of ID returns 200 OK and no token is deleted, I assume the response should mention that this action cannot be done with token name but rather with the token's ID.